Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 29 Jan 2017 18:52:58 +0100
From:      Rakor <freebsd@rakor-net.de>
To:        =?utf-8?Q?Thom=C3=A1s?= <thoms3rd@gmail.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: How to use IPFW to filter routing
Message-ID:  <6B3C8792-2FEE-4FCE-952E-F13AF59E0927@rakor-net.de>
In-Reply-To: <20170129164035.GB10963@host>
References:  <3C00AFCB-E2EF-4F89-8FBD-181C99DAC1FF@rakor-net.de> <20170129164035.GB10963@host>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi and thanks for your reply!

> Am 29.01.2017 um 17:40 schrieb Thom=C3=A1s <thoms3rd@gmail.com>:
>=20
> Sat, Jan 28, 2017 at 01:58:01PM +0100, Rakor:
>> As far as I know a packet is once scanned by IPFW an then first hit =
wins. So, if I set the following a packet coming from VLAN3 for port 80 =
is permitted to travel all way it wants, even to VLAN2. Putting an
> +other rule behind just allowing to travel out using igb2 is not =
checked, because the search terminated after first hit.
>>      ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state
>=20
> Have you tried something like this?
>=20
> ipfw add deny tcp 10.10.30.0/24 to 10.10.10.0/24 setup keep-state
> ipfw add deny tcp 10.10.30.0/24 to 10.10.20.0/24 setup keep-state
> ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state

This will work. But for any new subnet I=E2=80=99ll have to remember to =
deny it for any other subnets. I think this can become unhandy very =
soon.


>> If I try the follwing the packets are all rejected. I think the =
inspection is done before the routing, so IPFW does not know it should =
be forwarded using igb2.
>>      ipfw add allow tcp 10.10.30.0/24 to any 80 out via igb2 setup =
keep-state
>=20
> IPFW can do routing table lookups as needed. Something else must be
> going on here. Log rules may be of help to debug and understand your
> ruleset.

I also tried it using recv and xmit rules.

First I tried:
	ipfw add allow tcp from 10.10.30.0/24 to any out recv igb0.30 =
xmit igb2 setup keep-state
it does not work.

and later I tried this=20
	ipfw add allow tcp from 10.10.30.0/24 to any out xmit igb2 setup =
keep-state=20
also not working

Anytime it was caught by my default rule at the end:
	00150 deny log logamount 5 ip from any to any

/var/log/security said:

	150 Deny TCP 10.10.30.5:51145 82.193.243.115:80 in via igb0.30

So to me it looks like he does not know that the packet will be =
transmitted via igb2 at the moment it is inspected.


>> So I don=E2=80=99t know how to filter packets that should be routed =
in a exact manner. Can you help me?
>=20
> There are plenty of ways to filter packets in that setup, the "exact"
> one depends on what you are trying to achieve.

OK. So I=E2=80=99d like to have deny by default (as ipfw is working). =
Then I=E2=80=99d like to say exactly which traffic is allowed. So in my =
mind I=E2=80=99ll have no additional deny-rules. I=E2=80=99d like to say =
from which interface to which interface the traffic is traveling, =
because this respects my VLANs. OK, because there is an IP attached to =
the devices using the subnets would do it also (but I feel more =
comfortable seeing my interfaces - maybe it=E2=80=99s stupid).

So the rules I=E2=80=99d like to write say:
"allow tcp from VLAN3 to Internet using ports 80,443 coming from igb0.3 =
going to igb2 and deny all the rest."




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?6B3C8792-2FEE-4FCE-952E-F13AF59E0927>